feat: py sandbox for workflow

* chore: update Dockerfile and sandbox.py
* feat: py sandbox for workflow
* feat: py sandbox for workflow

See merge request: !885

docker/.env.example

@@ -163,3 +163,31 @@ export BUILTIN_CM_GEMINI_PROJECT=""
 export BUILTIN_CM_GEMINI_LOCATION=""
 export BUILTIN_CM_GEMINI_BASE_URL=""
 export BUILTIN_CM_GEMINI_MODEL=""
+
+
+# Workflow Code Runner Configuration
+# Supported code runner types: sandbox / local
+# Default using local
+# - sandbox: execute python code in a sandboxed env with deno + pyodide
+# - local: using venv, no env isolation
+export CODE_RUNNER_TYPE="local"
+# Sandbox sub configuration
+# Access restricted to specific environment variables, split with comma, e.g. "PATH,USERNAME"
+export CODE_RUNNER_ALLOW_ENV=""
+# Read access restricted to specific paths, split with comma, e.g. "/tmp,./data"
+export CODE_RUNNER_ALLOW_READ=""
+# Write access restricted to specific paths, split with comma, e.g. "/tmp,./data"
+export CODE_RUNNER_ALLOW_WRITE=""
+# Subprocess execution restricted to specific commands, split with comma, e.g. "python,git"
+export CODE_RUNNER_ALLOW_RUN=""
+# Network access restricted to specific domains/IPs, split with comma, e.g. "api.test.com,api.test.org:8080"
+# The following CDN supports downloading the packages required for pyodide to run Python code. Sandbox may not work properly if removed.
+export CODE_RUNNER_ALLOW_NET="cdn.jsdelivr.net"
+# Foreign Function Interface access to specific libraries, split with comma, e.g. "/usr/lib/libm.so"
+export CODE_RUNNER_ALLOW_FFI=""
+# Directory for deno modules, default using pwd. e.g. "/tmp/path/node_modules"
+export CODE_RUNNER_NODE_MODULES_DIR=""
+# Code execution timeout, default 60 seconds. e.g. "2.56"
+export CODE_RUNNER_TIMEOUT_SECONDS=""
+# Code execution memory limit, default 100MB. e.g. "256"
+export CODE_RUNNER_MEMORY_LIMIT_MB=""